CVE-2026-33804

High

Published: 16 April 2026

Published

16 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0005 14.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33804 is a high-severity Interpretation Conflict (CWE-436) vulnerability in Openjsf \@Fastify\/Middie. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the specific flaw in @fastify/middie that enables middleware bypass via duplicate slashes.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved authorizations for all request paths, preventing bypass of middleware authentication and authorization checks due to path normalization discrepancies.

CM-6 Configuration Settings good match

prevent

Establishes secure configuration settings that disable the deprecated ignoreDuplicateSlashes option, serving as the recommended workaround to mitigate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The middleware bypass via duplicate slashes in HTTP paths directly enables exploitation of a public-facing web application to evade auth/authz checks and gain unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to…

bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

Deeper analysisAI

CVE-2026-33804 is a middleware bypass vulnerability in @fastify/middie versions 9.3.1 and earlier. It occurs when the deprecated Fastify ignoreDuplicateSlashes option is enabled, as the middleware's path matching logic does not account for duplicate slash normalization performed by Fastify's router. Requests containing duplicate slashes in the path can thus evade authentication and authorization checks enforced by middleware.

Attackers with network access and no required privileges can exploit this issue by sending specially crafted HTTP requests with duplicate slashes. The attack requires high complexity, likely due to the need to identify specific paths protected by middleware. Exploitation enables high confidentiality and integrity impacts, allowing unauthorized access to sensitive data or modifications to protected resources, with no availability impact.

Advisories recommend upgrading to @fastify/middie 9.3.2 to address the vulnerability. No workarounds exist other than disabling the ignoreDuplicateSlashes option. Details are available in the OpenJSF CNA advisories and the GitHub security advisory GHSA-v9ww-2j6r-98q6.